{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23658", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.463Z", "datePublished": "2026-03-19T21:06:23.083Z", "dateUpdated": "2026-03-19T21:21:08.918Z"}, "containers": {"cna": {"title": "Azure DevOps: msazure Elevation of Privilege Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_devops_msazure:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure DevOps: msazure", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-522: Insufficiently Protected Credentials", "lang": "en-US", "type": "CWE", "cweId": "CWE-522"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-19T21:21:08.918Z"}, "references": [{"name": "Azure DevOps: msazure Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}}}

{}

{"cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network."}], "id": "CVE-2026-23658", "lastModified": "2026-03-19T21:16:54.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T21:16:54.487", "references": [{"source": "secure@microsoft.com", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Azure DevOps: msazure", "source": "cna", "vendor": "Microsoft"}, "product": "azure_devops", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-19T22:23:51.248528+00:00", "value": {"mitigation_remediation": ["Apply the latest Azure DevOps msazure update or patch released by Microsoft", "Enforce multi\u2011factor authentication for all Azure DevOps accounts to mitigate credential misuse", "Restrict network access to Azure DevOps endpoints to trusted IP ranges or VPNs", "Monitor Azure DevOps logs for suspicious credential usage and investigate anomalies promptly"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects Microsoft Azure DevOps, specifically the msazure component. No specific version information is provided in the CVE entry, but all users of Azure DevOps should consider the environment potentially impacted until a vendor patch is applied.", "description_and_impact": "This vulnerability involves insufficiently protected credentials within Azure DevOps, allowing an unauthorized attacker to elevate privileges over a network. The weakness, identified as CWE-522, permits a malicious actor to gain higher-level access than intended, potentially compromising the confidentiality, integrity, and availability of the affected code repository and associated services.", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity and a significant risk to organizations relying on Azure DevOps. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote network-based credential misuse, requiring an attacker to obtain or manipulate credentials stored within Azure DevOps. The high severity underscores the importance of promptly applying any vendor-released remediation."}}}}, "created": "2026-03-20T08:55:59.351274+00:00", "updated": "2026-03-20T11:06:09.213429+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_devops"]}